From ae893b1d7f9c63fc19e975027e3fa7601512b0c9 Mon Sep 17 00:00:00 2001 From: Joseph Lucas Date: Wed, 26 Feb 2025 14:34:08 -0600 Subject: [PATCH 01/11] Content: Password Management for #8 --- bestpractices/content/passwords.md | 64 ++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 bestpractices/content/passwords.md diff --git a/bestpractices/content/passwords.md b/bestpractices/content/passwords.md new file mode 100644 index 0000000..411bbcb --- /dev/null +++ b/bestpractices/content/passwords.md @@ -0,0 +1,64 @@ +# Password Management + +Maintaining open source software often means juggling a variety of responsibilities—from ensuring code quality to building a thriving community of contributors. Projects often find themselves juggling accounts on a variety of platforms like code repositories domain providers, and container repositories, all while trying to control access to the right set of individuals. This is often messy and a source of vulnerability. + +This post aims to help open source maintainers understand: + +1. The value of using a password manager for both personal and project credentials. +2. How to scan for accidentally committed secrets using open source tools like [trufflehog](https://github.com/trufflesecurity/trufflehog). +3. Techniques for setting up pre-commit hooks and CI scans to ensure secrets do not leak into your repositories. + +--- + +## Risks of Insecure Password Management + +Hardcoded passwords, API keys, and other secrets in your repository can expose your project to risks like: + +- **Account Takeover**: Exposed credentials can allow unauthorized access to critical services (e.g., package registries, CI/CD systems, or infrastructure). +- **Reputation Damage**: A security breach can harm your project's reputation, deterring potential collaborators or users. +- **User Supply Chain Risk**: With unauthorized access, attackers can push harmful content to your users. Most often, this is simply defacement or malicious binaries (like cryptojackers), but can sometimes be more insidious. + +Ensuring that passwords and other sensitive credentials remain secure is essential for any project that wants to maintain trust and protect both its developers and users. + +--- + +## Best Practices for Secret Handling + +1. **Never store passwords or tokens directly in your repository.** Use something like GitHub Secrets to manage your secrets during CI/CD. +2. **Limit Credential Scope**: Give each service or token the least privileges possible. Avoid reusing passwords across multiple services. +3. **Rotate Credentials Regularly**: If you accidentally expose a secret, be prepared to revoke or rotate it immediately. +4. **Educate Contributors**: Let your community know about these security measures. Provide clear guidelines for how they should handle secrets. + +--- + +## Using a Password Manager + +One of the easiest ways to ensure secrets stay secure is to use a password manager. Password managers offer: + +- **Encrypted Storage**: Passwords are stored in an encrypted vault, reducing the risk of accidental exposure. +- **Secure Sharing**: Share credentials safely among project maintainers without resorting to email or plaintext messages. +- **Strong, Unique Passwords**: Automatically generate strong passwords for each service to minimize the damage if one account is compromised. + +If you’re looking for a managed solution, [1Password](https://github.com/1Password/for-open-source) provides a **free Teams account for Open Source Projects**. An open source alternative is [Bitwarden](https://github.com/bitwarden/). + +--- + +## Scanning for Secrets + +Even with a password manager, mistakes can happen. You or a contributor might accidentally commit a password, API key, or other credentials to the repository. Fortunately, tools like [trufflehog](https://github.com/trufflesecurity/trufflehog) can help detect these secrets before they make their way into production or public repositories. + +For usage details, see the official [Trufflehog documentation](https://github.com/trufflesecurity/trufflehog). + +When evaluating a secret scanning tool, there are several key features to look for: + +1. **Relevance**: The relevance to the secrets your project uses. Most of these tools use regular expressions to identify the service associated with the credential. Some also test the credential to determine if it's still active, which helps reduce false positives. Review their documentation to make sure that the services you use are monitored. +2. **Pre-commit hooks**: The best time to catch a mistake is before it happens. If you can configure the tool into [pre-commit hooks](https://pre-commit.com/), you can detect the secrets _before you commit them to the remote repository_. +3. **CI/CD**: We work in distributed teams and building checks into our automated processes will help protect everyone. + +The Security Committee has found that TruffleHog fits nicely because it is open source, supports a wide range of detectors, and has convenient pre-commit hooks and CI integrations. + +--- + +## Conclusion + +Password management is a foundational security practice for any open source project, including those under NumFOCUS. By leveraging password managers such as [1Password](https://github.com/1Password/for-open-source) (with its free Teams account for eligible OSS projects) and incorporating secret scanning tools like [trufflehog](https://github.com/trufflesecurity/trufflehog) into your workflow, you can significantly reduce the risk of accidental credential leaks and protect your maintainers and users. From 56a581132609f35fad58072f67d005b480eb8a4e Mon Sep 17 00:00:00 2001 From: Joseph Lucas Date: Wed, 26 Feb 2025 15:34:50 -0600 Subject: [PATCH 02/11] Update bestpractices/content/passwords.md Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com> --- bestpractices/content/passwords.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bestpractices/content/passwords.md b/bestpractices/content/passwords.md index 411bbcb..4010ae2 100644 --- a/bestpractices/content/passwords.md +++ b/bestpractices/content/passwords.md @@ -4,8 +4,8 @@ Maintaining open source software often means juggling a variety of responsibilit This post aims to help open source maintainers understand: -1. The value of using a password manager for both personal and project credentials. -2. How to scan for accidentally committed secrets using open source tools like [trufflehog](https://github.com/trufflesecurity/trufflehog). +1. The value of using a password manager for both personal and project credentials. +2. How to scan for accidentally committed secrets using open source tools like [trufflehog](https://github.com/trufflesecurity/trufflehog). 3. Techniques for setting up pre-commit hooks and CI scans to ensure secrets do not leak into your repositories. --- From 56e2a603d10388955d52edd0ee86dd83cf99f9ac Mon Sep 17 00:00:00 2001 From: Joseph Lucas Date: Wed, 26 Feb 2025 15:35:00 -0600 Subject: [PATCH 03/11] Update bestpractices/content/passwords.md Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com> --- bestpractices/content/passwords.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bestpractices/content/passwords.md b/bestpractices/content/passwords.md index 4010ae2..adb4abb 100644 --- a/bestpractices/content/passwords.md +++ b/bestpractices/content/passwords.md @@ -14,7 +14,7 @@ This post aims to help open source maintainers understand: Hardcoded passwords, API keys, and other secrets in your repository can expose your project to risks like: -- **Account Takeover**: Exposed credentials can allow unauthorized access to critical services (e.g., package registries, CI/CD systems, or infrastructure). +- **Account Takeover**: Exposed credentials can allow unauthorized access to critical services (e.g., package registries, CI/CD systems, or infrastructure). - **Reputation Damage**: A security breach can harm your project's reputation, deterring potential collaborators or users. - **User Supply Chain Risk**: With unauthorized access, attackers can push harmful content to your users. Most often, this is simply defacement or malicious binaries (like cryptojackers), but can sometimes be more insidious. From 9d729bab951e66d7b59c0e2caf6fbcd4b6a56dd4 Mon Sep 17 00:00:00 2001 From: Joseph Lucas Date: Wed, 26 Feb 2025 15:35:07 -0600 Subject: [PATCH 04/11] Update bestpractices/content/passwords.md Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com> --- bestpractices/content/passwords.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bestpractices/content/passwords.md b/bestpractices/content/passwords.md index adb4abb..58551b2 100644 --- a/bestpractices/content/passwords.md +++ b/bestpractices/content/passwords.md @@ -25,7 +25,7 @@ Ensuring that passwords and other sensitive credentials remain secure is essenti ## Best Practices for Secret Handling 1. **Never store passwords or tokens directly in your repository.** Use something like GitHub Secrets to manage your secrets during CI/CD. -2. **Limit Credential Scope**: Give each service or token the least privileges possible. Avoid reusing passwords across multiple services. +2. **Limit Credential Scope**: Give each service or token the least privileges possible. Avoid reusing passwords across multiple services. 3. **Rotate Credentials Regularly**: If you accidentally expose a secret, be prepared to revoke or rotate it immediately. 4. **Educate Contributors**: Let your community know about these security measures. Provide clear guidelines for how they should handle secrets. From 618751f8bec07d5b0062ba164477934772788522 Mon Sep 17 00:00:00 2001 From: Joseph Lucas Date: Wed, 26 Feb 2025 15:35:14 -0600 Subject: [PATCH 05/11] Update bestpractices/content/passwords.md Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com> --- bestpractices/content/passwords.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bestpractices/content/passwords.md b/bestpractices/content/passwords.md index 58551b2..78ca014 100644 --- a/bestpractices/content/passwords.md +++ b/bestpractices/content/passwords.md @@ -26,7 +26,7 @@ Ensuring that passwords and other sensitive credentials remain secure is essenti 1. **Never store passwords or tokens directly in your repository.** Use something like GitHub Secrets to manage your secrets during CI/CD. 2. **Limit Credential Scope**: Give each service or token the least privileges possible. Avoid reusing passwords across multiple services. -3. **Rotate Credentials Regularly**: If you accidentally expose a secret, be prepared to revoke or rotate it immediately. +3. **Rotate Credentials Regularly**: If you accidentally expose a secret, be prepared to revoke or rotate it immediately. 4. **Educate Contributors**: Let your community know about these security measures. Provide clear guidelines for how they should handle secrets. --- From a7fe20baa8c32ce092820a32a8d0197aa5dd524f Mon Sep 17 00:00:00 2001 From: Joseph Lucas Date: Wed, 26 Feb 2025 15:37:08 -0600 Subject: [PATCH 06/11] Update bestpractices/content/passwords.md Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com> --- bestpractices/content/passwords.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bestpractices/content/passwords.md b/bestpractices/content/passwords.md index 78ca014..e663ce1 100644 --- a/bestpractices/content/passwords.md +++ b/bestpractices/content/passwords.md @@ -47,7 +47,7 @@ If you’re looking for a managed solution, [1Password](https://github.com/1Pass Even with a password manager, mistakes can happen. You or a contributor might accidentally commit a password, API key, or other credentials to the repository. Fortunately, tools like [trufflehog](https://github.com/trufflesecurity/trufflehog) can help detect these secrets before they make their way into production or public repositories. -For usage details, see the official [Trufflehog documentation](https://github.com/trufflesecurity/trufflehog). +For usage details, see the official [Trufflehog documentation](https://github.com/trufflesecurity/trufflehog). When evaluating a secret scanning tool, there are several key features to look for: From adb92956fa33999c975eb844af772a7a21ca99db Mon Sep 17 00:00:00 2001 From: Joseph Lucas Date: Wed, 26 Feb 2025 15:37:33 -0600 Subject: [PATCH 07/11] Update bestpractices/content/passwords.md Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com> --- bestpractices/content/passwords.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bestpractices/content/passwords.md b/bestpractices/content/passwords.md index e663ce1..8b1dd85 100644 --- a/bestpractices/content/passwords.md +++ b/bestpractices/content/passwords.md @@ -52,7 +52,7 @@ For usage details, see the official [Trufflehog documentation](https://github.co When evaluating a secret scanning tool, there are several key features to look for: 1. **Relevance**: The relevance to the secrets your project uses. Most of these tools use regular expressions to identify the service associated with the credential. Some also test the credential to determine if it's still active, which helps reduce false positives. Review their documentation to make sure that the services you use are monitored. -2. **Pre-commit hooks**: The best time to catch a mistake is before it happens. If you can configure the tool into [pre-commit hooks](https://pre-commit.com/), you can detect the secrets _before you commit them to the remote repository_. +2. **Pre-commit hooks**: The best time to catch a mistake is before it happens. If you can configure the tool into [pre-commit hooks](https://pre-commit.com/), you can detect the secrets _before you can commit them locally and subsequently push changes to the remote repository_. 3. **CI/CD**: We work in distributed teams and building checks into our automated processes will help protect everyone. The Security Committee has found that TruffleHog fits nicely because it is open source, supports a wide range of detectors, and has convenient pre-commit hooks and CI integrations. From f33a5c750772681e6b639e4db184f994ed079b80 Mon Sep 17 00:00:00 2001 From: Joseph Lucas Date: Wed, 26 Feb 2025 15:37:43 -0600 Subject: [PATCH 08/11] Update bestpractices/content/passwords.md Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com> --- bestpractices/content/passwords.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bestpractices/content/passwords.md b/bestpractices/content/passwords.md index 8b1dd85..565e031 100644 --- a/bestpractices/content/passwords.md +++ b/bestpractices/content/passwords.md @@ -45,7 +45,7 @@ If you’re looking for a managed solution, [1Password](https://github.com/1Pass ## Scanning for Secrets -Even with a password manager, mistakes can happen. You or a contributor might accidentally commit a password, API key, or other credentials to the repository. Fortunately, tools like [trufflehog](https://github.com/trufflesecurity/trufflehog) can help detect these secrets before they make their way into production or public repositories. +Even with a password manager, mistakes can happen. You or a contributor might accidentally commit a password, API key, or other credentials to the repository. Fortunately, tools like [TruffleHod](https://github.com/trufflesecurity/trufflehog) can help detect these secrets before they make their way into production or public repositories. For usage details, see the official [Trufflehog documentation](https://github.com/trufflesecurity/trufflehog). From b25515ab56b36bf1dd151107304d1d63e5226954 Mon Sep 17 00:00:00 2001 From: Joseph Lucas Date: Wed, 26 Feb 2025 15:37:53 -0600 Subject: [PATCH 09/11] Update bestpractices/content/passwords.md Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com> --- bestpractices/content/passwords.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bestpractices/content/passwords.md b/bestpractices/content/passwords.md index 565e031..dfbddda 100644 --- a/bestpractices/content/passwords.md +++ b/bestpractices/content/passwords.md @@ -61,4 +61,4 @@ The Security Committee has found that TruffleHog fits nicely because it is open ## Conclusion -Password management is a foundational security practice for any open source project, including those under NumFOCUS. By leveraging password managers such as [1Password](https://github.com/1Password/for-open-source) (with its free Teams account for eligible OSS projects) and incorporating secret scanning tools like [trufflehog](https://github.com/trufflesecurity/trufflehog) into your workflow, you can significantly reduce the risk of accidental credential leaks and protect your maintainers and users. +Password management is a foundational security practice for any open source project, including those under NumFOCUS. By leveraging password managers such as [1Password](https://github.com/1Password/for-open-source) (with its free Teams account for eligible OSS projects) and incorporating secret scanning tools like [TruffleHog](https://github.com/trufflesecurity/trufflehog) into your workflow, you can significantly reduce the risk of accidental credential leaks and protect your maintainers and users. From 9cdf750d92dde5433618775e3304bd8c002aab6a Mon Sep 17 00:00:00 2001 From: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com> Date: Thu, 27 Feb 2025 03:57:41 +0530 Subject: [PATCH 10/11] Fix a typo, fix spelling notation of "TruffleHog" --- bestpractices/content/passwords.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bestpractices/content/passwords.md b/bestpractices/content/passwords.md index dfbddda..cedf0bd 100644 --- a/bestpractices/content/passwords.md +++ b/bestpractices/content/passwords.md @@ -5,7 +5,7 @@ Maintaining open source software often means juggling a variety of responsibilit This post aims to help open source maintainers understand: 1. The value of using a password manager for both personal and project credentials. -2. How to scan for accidentally committed secrets using open source tools like [trufflehog](https://github.com/trufflesecurity/trufflehog). +2. How to scan for accidentally committed secrets using open source tools like [TruffleHog](https://github.com/trufflesecurity/trufflehog). 3. Techniques for setting up pre-commit hooks and CI scans to ensure secrets do not leak into your repositories. --- @@ -45,7 +45,7 @@ If you’re looking for a managed solution, [1Password](https://github.com/1Pass ## Scanning for Secrets -Even with a password manager, mistakes can happen. You or a contributor might accidentally commit a password, API key, or other credentials to the repository. Fortunately, tools like [TruffleHod](https://github.com/trufflesecurity/trufflehog) can help detect these secrets before they make their way into production or public repositories. +Even with a password manager, mistakes can happen. You or a contributor might accidentally commit a password, API key, or other credentials to the repository. Fortunately, tools like [TruffleHog](https://github.com/trufflesecurity/trufflehog) can help detect these secrets before they make their way into production or public repositories. For usage details, see the official [Trufflehog documentation](https://github.com/trufflesecurity/trufflehog). From bcb1bfd867a10c5eb4832bdffd6e9894993a15c2 Mon Sep 17 00:00:00 2001 From: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com> Date: Thu, 27 Feb 2025 04:00:35 +0530 Subject: [PATCH 11/11] =?UTF-8?q?Add=20a=20reference=20to=20SPEC=206=20?= =?UTF-8?q?=E2=80=93=20"Keys=20to=20the=20Castle"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bestpractices/content/passwords.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bestpractices/content/passwords.md b/bestpractices/content/passwords.md index cedf0bd..a8aef2b 100644 --- a/bestpractices/content/passwords.md +++ b/bestpractices/content/passwords.md @@ -62,3 +62,5 @@ The Security Committee has found that TruffleHog fits nicely because it is open ## Conclusion Password management is a foundational security practice for any open source project, including those under NumFOCUS. By leveraging password managers such as [1Password](https://github.com/1Password/for-open-source) (with its free Teams account for eligible OSS projects) and incorporating secret scanning tools like [TruffleHog](https://github.com/trufflesecurity/trufflehog) into your workflow, you can significantly reduce the risk of accidental credential leaks and protect your maintainers and users. + +For additional reading on security best practices beyond password management and around project-specific recommendations, please refer to [Scientific Python - SPEC 6 — "Keys to the Castle"](https://scientific-python.org/specs/spec-0006/). \ No newline at end of file